The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Security visibility from development to operations to minimize risk
GitLab provides the single application organizations need to find, triage, and fix vulnerabilities, from development to production. This empowers organizations to apply repeatable, defensible processes that automate security and compliance policies that proactively reduce overall security risk.
The Sec Section focuses on providing security and compliance visibility across the entire software development lifecycle and is comprised of the Secure and Govern stages of the DevOps lifecycle. This is accomplished by shifting security testing left with the Secure stage, enabling developers to begin security scanning with their first written line of code, and by providing organizations with visibility and control over the security risk present across their environment with the Govern stage.
GitLab is uniquely positioned to fully support DevSecOps by providing a single application for the entire software development lifecycle. This includes both shifting Application Security Testing (AST) left as well as providing visibility and control over security and compliance findings, from first line of code to production.
GitLab’s single application maps directly to the DevSecOps lifecycle. GitLab's Secure Stage focuses on pinpointing vulnerabilities and weaknesses, from development to production, while the Govern Stage provides visibility and control over the security & compliance findings Secure detects. Together, GitLab supports all teams involved in delivering secure applications:
The earlier a security vulnerability can be remediated has both risk reduction and cost reduction benefits.
When security vulnerabilities are identified at the time of code commit, developers can understand how their newly introduced code has led to this new issue. This gives the developer a cause-and-effect enabling quicker resolution while not having the time hit of context switching. This is not true as security scanning is performed later in the software development lifecycle. New vulnerabilities may not be identified until weeks or months after they were added to the application while under development.
Time is not the only savings when shifting security left.
In “The Economic Impacts of Inadequate Infrastructure for Software Testing”, NIST estimated the cost of remediating software bugs at $59.5 billion/year. This is compounded when taking in the average time to remediate software bugs. In “Software Development Price Guide & Hourly Rate Comparison”, FullStack Labs estimates the average cost of a software developer at $300/hour. The following table outlines the cost to remediate software bugs at different stages of the software development lifecycle:
These costs are just the start of the financial impact when the software bug is also a software vulnerability. IBM, in partnership with the Ponemon Institute, put the average cost to remediate a data breach in 2020 at $3.86 million (USD). This does not take into consideration the reputation impact to the organization.
Having visibility into security risk in just development only provides you with half of the picture. Development and SecOps teams need to have a closed feedback loop enabling both teams to be successful. Development teams can gain insight into attacks targeting the applications they develop. This allows them to prioritize vulnerabilities correctly, enabling proactive resolutions to reduce risk. Likewise, SecOps teams can gain insight from their development counterparts, providing them with visibility into how the application works. This allows them to best apply proactive measures to mitigate attacks targeting the application until development can fix the vulnerability.
Closing the loop requires close collaboration, transparency, and efficiencies that only a single platform for the entire DevOps lifecycle can provide. Shifting security left while also providing protection for applications in production within a single application empowers teams to work closer together. Security is a team sport and teams working together can best reduce their organization’s overall security risk.
The Security Section is made up of two DevOps stages, Secure and Govern, and seven groups supporting the major categories of DevSecOps including:
The existing team members for the Sec Section can be found in the links below:
Learn more about GitLab's investment into the Sec section by visiting our Product Investment page within the Internal Product Handbook.
A complete list of released features can be found on the Release Feature Overview page and a complete list of upcoming features can be found on the Upcoming Releases page.
Everyone benefits when security is a team effort as testing happens regularly, issues are found earlier, and code shipped is more secure. To make this possible, security must be approachable, not overburden teams, and results must be easy to interpret. Security testing tools and processes must be adapted to your developers (and not the other way around). This means bringing security into the workflow of your developers such that they can stay within their context without having unnecessary steps added to their daily work. Furthermore, results provided as security findings must be presented in a way that they can be interpreted without needing a PhD in cybersecurity. This includes providing enough detail to begin identifying the root cause (including identifying the section of code causing the security finding) and suggesting remediation steps (including automatic remediation) as well as pointing to industry standards related to the security finding. By implementing an integrated DevSecOps lifecycle with actionable results, security becomes everyone’s responsibility.
As examples, GitLab will provide:
The “shift left” approach is not a new concept within software testing and DevOps best practices. It is commonly thought of when discussing the DevSecOps lifecycle. This usually includes security testing earlier in the software development lifecycle with the goal of identifying security vulnerabilities and weaknesses prior to shipping code to operations. Today’s techniques include static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), dependency scanning, and license compliance. The continuation of the “shift left” approach requires a harder shift left, bringing security testing as close as possible to the developer. This enables earlier detection of security vulnerabilities and weaknesses, thus lowering the cost of remediation (as well as reducing work for the entire team as security findings are addressed prior to reaching the QA and security teams).
As examples, GitLab will provide:
Security testing doesn’t stop once code is shipped. New vulnerabilities, security weaknesses and, attacker techniques are constantly discovered, leaving operations and their associated applications and services open to being compromised. Also, as organizations continue to shift to the cloud and employ cloud-native strategies, new attack surfaces are exposed that did not exist within the traditional data center. These include items like cloud storage permissions and unwanted network services. Applications, services, and their associated cloud-native infrastructure need to be assessed just as a user (or an attacker) would interact with them. This means performing the same tasks that an attacker would perform including reconnaissance, vulnerability assessment, and penetration testing. Implementing a continuous assessment strategy of operations is needed to provide full visibility into all potential risk.
As examples, GitLab will provide:
Security findings, without context, can lead to making incorrect decisions on remediation, leaving applications and services vulnerable. With more data made available, better decisions can be made while prioritizing security findings, enabling users to best manage their security risk. Furthermore, this enables developers to write secure code, build operations to package dependencies free of vulnerabilities, and security team members to test deeper than previously achievable. Leveraging machine learning provides active intelligence, enabling users to make smart, data-driven decisions at the right time, lowering overall security risk. Machine learning, to be successful, relies on big data to build accurate models. The GitLab community includes developers, build operators, and security teams all working together within their organizations to code, build, deliver and secure application and services going into operations. As a global community, developers can learn from each other to identify and better secure code. Dependency vulnerabilities and weaknesses can be avoided, and security teams can test smarter, faster, and deeper. Machine learning, powered by anonymized data, provides active intelligence enabling data-driven decisions.
As examples, GitLab will provide:
At GitLab, we believe everyone can contribute and security is everyone’s responsibility. We empower GitLab users by providing security tools which include Static Analysis, Dynamic Analysis, Container Scanning, Dependency Scanning, and License Scanning. However, we recognize our users may have existing security tools and may want to continue to use them. As such, we strive to play well with others. Security tool vendors will be provided standardized components (e.g., APIs) within the GitLab complete DevOps platform enabling easy integration into our Security Dashboard and Merge Request controls including security approvals. This allows our users to have alternate security tools that either replace, or augment, our Secure tools.
As examples, GitLab will provide:
If you are interested in contributing such an integration, please create an issue so we can collaborate on questions and adding any enabling functionality.
Generative AI will empower small, centralized security teams to scale and effectively support their companies' development organizations, even when those teams are outnumbered 250:1. AI can enhance security teams' effectiveness, efficiency, and overall cost-effectiveness by being integrated into their daily operations. Additionally, AI will play a crucial role in helping companies shift security left, allowing developers to participate in vulnerability management and overall risk reduction.
When it comes to vulnerability and dependency management two problems are hard to solve that could be solved with AI:
Security teams need centralized management for their security and compliance workflows. Features such as user management, compliance labels, security policies, and the vulnerability and dependency lists need to allow for centralized management that applies across all of an organization's projects.
Govern capabilities will ensure that compliance regulations are strictly followed in a way that they cannot be bypassed without the proper approvals. This includes providing the necessary tools to audit, monitor, and manage the compliance controls that are enforced.
Govern capabilities will serve as a connection point for a seamless workflow spanning across the DevSecOps lifecycle. By enabling collaboration between types of users, Govern can help solidify the advantages GitLab has to offer as a single application. For example, these areas might include the following:
Govern capabilities will be pre-configured with reasonable defaults out-of-the-box whenever possible. When not possible, they will be easy to configure either through code or through a guided UI workflow that is friendly to users without coding knowledge. Regardless of how the capabilities are configured, they will be stored as code for ease of management.
For example, GitLab's security policy editor supports editing policies in both a rule mode
and in yaml mode
.
Govern capabilities allow organizations to lock down every aspect of their supply chain. This includes securely authenticating users into GitLab, hardening the GitLab platform itself, and verifying every step along the DevSecOps lifecycle as code is created, built, and deployed.
The Sec team has been actively delivering updates to help you reduce risk. The following are some highlights from recent GitLab releases:
The Sec team is actively working to bring world class security to DevSecOps and the following outlines where we are currently investing our efforts:
To meet our audacious goals, the Sec Section will focus on the following over the next 12 months:
The following will NOT be a focus over the next 12 months:
GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.
To capitalize on the opportunities listed above, the Sec Section has features that make it useful to the following personas today.
As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables collaboration between developers, security teams, SecOps teams, and QA Teams.
The Sec section is composed of two stages, Secure and Govern, each of which contains several categories. Each stage has an overall strategy statement below, aligned to the themes for Sec. Each category within each stage has a dedicated direction page plus optional documentation, marketing pages, and other materials linked below.
The Secure stage enables accurate, automated, and continuous assessment of your applications and services enabling you to proactively identify vulnerabilities and weaknesses to minimize your security risk. Secure is not an additional step in your process nor an additional tool to introduce to your process. it is woven into your DevOps cycle thus allowing you to adapt your security testing and processes to your developers (and not the other way around).
Scans your application source code and binaries to spot potential vulnerabilities before deployment. SAST supports scanning a variety of different programming languages and automatically chooses the right analyzer even if your project uses more than one language. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Scans your repository to help prevent your secrets from being exposed. Secret Detection scanning works on all text files, regardless of the language or framework used. Code pushed to a remote Git branch can be rejected if a secret is detected. This category is at the "viable" level of maturity.
Priority: medium • Documentation • Direction
Analyzes your source code quality and complexity. This helps keep your project’s code simple, readable, and easier to maintain. This category is at the "minimal" level of maturity.
Runs automated penetration tests to find vulnerabilities in web applications and APIs as they are running. DAST can run live attacks against a Review App, an externally deployed application, or an active API. Scans can be run for every merge request, on a schedule, or even on-demand. DAST supports user inputted HTTP credentials to test private areas of your application. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are presented as a single report. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Secures and protects web Application Programming Interfaces from unauthorized access, misuse, and attacks. Tests for known vulnerabilities by performing penetration testing of APIs with DAST. Finds unknown vulnerabilities by performing Fuzz Testing of web API operation parameters.Users can provide credentials to test authenticated APIs. Vulnerabilities, additional data, and solutions are shown in-line with every merge request.. Scanner results are collected and presented as a single report. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior in order to identify a bug that needs to be addressed. Helps you discover bugs and potential security issues that other QA processes may miss. This category is at the "complete" level of maturity.
Priority: high • Documentation • Direction
Analyzes external dependencies within your application for known vulnerabilities on each CI/CD code commit. Vulnerabilities, additional data, and solutions are shown in-line with every merge request. Scanner results are collected and presented as a single report. Upon code commit, project dependencies are searched for approved and denied licenses defined by per project custom policies. Software licenses are identified if they are not within policy and are shown in-line for every merge request for immediate resolution. This category is at the "viable" level of maturity.
Priority: high • Documentation • Direction
Scans your container images for known vulnerabilities within the application environment. Image contents are analyzed against public vulnerability databases.Security findings, additional data, and solutions reported in-line with every merge request along with additional data including solutions. Results are presented as a single report. Container Scanning is considered part of Software Composition Analysis. This category is at the "viable" level of maturity.
Priority: medium • Documentation • Direction
The GitLab Advisory Database serves as a repository for security advisories related to software dependencies. GitLab integrates the advisory database with its proprietary and open-source application security scanning tools. In order to maintain the efficacy of those scanners, we strive to keep their underlying vulnerability databases up-to-date.
Priority: high • Direction
Continuously assess your applications and services are not vulnerable to security threats through automated, real-world emulated scenarios to identify weaknesses in your attack surface
Priority: low
We follow the buyer-based tiering strategy
This tier is the primary way to increase broad adoption of our suite of applcation security scanners, as well as encouraging community contributions and improving security across the entire GitLab user base.
As a general rule of thumb, features will fall in the Core/Free tier when they meet one or more of the following criteria:
Examples:
This tier is not a significant part of the pricing strategy for the AST stage.
This tier is the primary focus for the AST stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that enable organizations to assess their overall security risk tend to be valued with equal weight. The types of capabilities that fall in the Ultimate/Gold tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to properly secure their code before pushing it into a production environment.
As a general rule of thumb, features will fall in the Ultimate/Gold tier when they meet one or more of the following criteria:
Examples:
The Govern stage helps organizations to reduce their overall risk by applying appropriate management and governance oversight across the entire DevSecOps lifecycle. Govern provides management tools to secure the GitLab platform itself by restricting access to authenticated users and ensuring they are provisioned with the least amount of required privileges. To help manage and monitor risk levels, the Govern stage provides visibility into user permissions and activity; project dependencies; security findings; and aderence to compliance standards. This visibility is then coupled with enforcement capabilities to proactively prevent risks by automating compliance and securing the software supply chain.
System Access provides tools to authenticate through all points of GitLab (UI, CLI, API). These tools allow you to configure what an individual/process has access to once they authenticate, determined by their role. GitLab integrates with several OmniAuth providers, LDAP, SAML, and more.
GitLab provides various permissions and roles in order to evaluate what access or rights an identity should have in an environment. Custom roles can also be created to allow an organization to create user roles with the precise privileges and permissions desired.
Audit Events track important actions within GitLab along with who performed the actions and the time in which they occurred. These events can be used in a security audit to assess risk, strengthen security measures, respond to incidents, and adhere to compliance. This category is at the "viable" level of maturity.
Priority: high • Documentation • Direction
Compliance Management provides customers with the tools necessary to ensure and manage their compliance programs. Compliance Workflow Automation is provided to enforce custom pipelines to run on projects which have specific compliance needs. For compliance oversight, the Compliance Center provides a central location for compliance teams to manage their compliance standards adherence reporting, violations reporting, and compliance frameworks for their group. This category is at the "viable" level of maturity.
Priority: high • Documentation • Direction
Dependency Management allows users to review project/group dependencies and key details about those dependencies, including their vulnerabilities, licenses, and packager. This category is at the "viable" level of maturity.
Priority: high • Documentation • Direction
GitLab allows you to secure your software supply chain including push rules, code scanning, SBOM management, and enforcement of compliance policies. This category is at the "viable" level of maturity.
Priority: high • Learn more • Documentation • Direction
Insider Threat identifies attacks and high risk behaviors by correlating different data sources and observing user behavioral patterns
Instance Resiliency provides tools to prevent malicious activity from occurring within GitLab Instances. These tools include external pipeline validation allowing you to use an external service to validate a pipeline before it is created.
Secure and protect access to secrets, such as API keys and passwords, to ensure that sensitive data is protected throughout your development process. This category is at the "minimal" level of maturity.
Artifact Security focuses on the hardening of artifacts, to ensure the authenticity of artifacts.
Release Evidence provides assurances and evidence collection that are necessary for you to trust the changes you're delivering. When a release is created, GitLab takes a snapshot of relevant release data as evidence that it occurred. This category is at the "viable" level of maturity.
Govern is focused on providing governance and compliance features that span across the DevSecOps lifecycle. Govern’s tiering strategy aligns with the GitLab approach of selecting the tier based on who cares most about the feature. Because Executives generally care most about governance features, it is expected that most Govern features will land in the Ultimate tier.
This tier is the primary way to increase broad adoption of the Govern stage, as well as encouraging community contributions and improving security across the entire GitLab user base.
As a general rule of thumb, features will fall in the Free tier when they meet one or more of the following criteria:
This tier is not a significant part of Govern's pricing strategy; however, a few features features that primarily appeal to Directors rather than Executives may fall into the Premium tier. One example of this is our audit event functionality that is available in this tier.
This tier is the primary focus for the Govern stage as most Govern features enable executives to ensure that their organization meets compliance requirements and maintains an acceptable security posture.
As a general rule of thumb, features will fall in the Ultimate tier when they meet one or more of the following criteria:
Last Reviewed: 2022-10-11
Last Updated: 2022-10-11